Bug 1756458 - User upgrading a cluster from 4.1 to 4.2 before official release may bypass security protection
Summary: User upgrading a cluster from 4.1 to 4.2 before official release may bypass s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.z
Assignee: Clayton Coleman
QA Contact: liujia
URL:
Whiteboard:
Depends On: 1756453 1756454
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-27 17:07 UTC by Clayton Coleman
Modified: 2019-10-30 19:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1756454
Environment:
Last Closed: 2019-10-30 19:01:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 23875 0 None closed Bug 1756458: Separate upgrade flags for safety instead of abusing force 2020-03-13 09:30:46 UTC
Red Hat Product Errata RHBA-2019:3152 0 None None None 2019-10-30 19:01:29 UTC

Description Clayton Coleman 2019-09-27 17:07:25 UTC
+++ This bug was initially created as a clone of Bug #1756454 +++

+++ This bug was initially created as a clone of Bug #1756453 +++

Users are allowed (and in pre-prod environments, encouraged) to upgrade clusters to versions that may not be in a stable channel. In addition, between minor versions of the product (4.1 and 4.2) edges may not be created in the stable channel, but we want users to try it out.

To try that out today requires `oc adm upgrade --force` which bypasses signature verification and introduces a security risk.  The CLI really should not force that choice on users, and in 4.3 we anticipate adding additional checks that have nothing to do with that behavior.

For 4.1 and 4.2 we should split the --force flag in oc adm upgrade to only apply to server override, and use more specific flags for client side override (--allow-explicit-upgrade for using --to-image, and --allow-unsafe-upgrade for bypassing cluster version failure and upgrade in progress).

Comment 2 liujia 2019-10-23 09:54:27 UTC
Version:
4.1.0-0.nightly-2019-10-23-020857

# ./oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.21-201910221726+974fd4f-dirty", GitCommit:"974fd4f", GitTreeState:"dirty", BuildDate:"2019-10-22T22:57:09Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}


### check for --allow-explicit-upgrade
1) install 4.1.20
2) upgrade to a payload not in available update
# ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857 --force
error: The requested upgrade image is not one of the available updates, you must pass --allow-explicit-upgrade to continue
3) add required variable
# ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857 --force --allow-explicit-upgrade
Updating to release image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857

# ./oc adm upgrade
info: An upgrade is in progress. Working towards 4.1.0-0.nightly-2019-10-23-020857: 13% complete

No updates available. You may force an upgrade to a specific release image, but doing so may not be supported and result in downtime or data loss.

### check for --allow-upgrade-with-warnings
1) continue to do another upgrade when there is an upgrade ongoing
# ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247 --allow-explicit-upgrade
error: Already upgrading, pass --allow-upgrade-with-warnings to override.

  Reason: 
  Message: Working towards 4.1.0-0.nightly-2019-10-23-020857: 24% complete
2) add required variable
# ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247 --allow-explicit-upgrade --allow-upgrade-with-warnings
Updating to release image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247

Comment 4 errata-xmlrpc 2019-10-30 19:01:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3152


Note You need to log in before you can comment on or make changes to this bug.